# Actions Object Structure (/docs/configuration/librechat_yaml/object_structure/actions)

Actions can be used to dynamically create tools from OpenAPI specs. The `actions` object structure allows you to specify allowed domains for agent/assistant actions.

More info: [Agents - Actions](/docs/features/agents#actions)

## Example

```yaml filename="Actions Object Structure"
# Example Actions Object Structure
actions:
  allowedDomains:
    - "swapi.dev"
    - "librechat.ai"
    - "google.com"
    - "https://api.example.com:8443"  # With protocol and port
```

## allowedDomains

**Key:**
<OptionTable
  options={[
    ['allowedDomains', 'Array of Strings', 'A list specifying allowed domains for agent/assistant actions.', 'When configured, only listed domains are allowed. When not configured, SSRF targets are blocked but all other domains are allowed.'],
  ]}
/>

**Optional**

### Security Context (SSRF Protection)

LibreChat includes SSRF (Server-Side Request Forgery) protection with the following behavior:

**When `allowedDomains` is NOT configured:**
- SSRF-prone targets are **blocked by default**
- All other external domains are **allowed**

**When `allowedDomains` IS configured:**
- **Only** domains on the list are allowed
- Internal/SSRF targets can be allowed by explicitly adding them to the list

**Blocked SSRF targets include:**
- **Localhost** addresses (`localhost`, `127.0.0.1`, `::1`)
- **Private IP ranges** (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`)
- **Link-local addresses** (`169.254.0.0/16`, includes cloud metadata IPs)
- **Internal TLDs** (`.internal`, `.local`, `.localhost`)
- **Common internal service names** (`redis`, `mongodb`, `postgres`, `api`, etc.)

If your actions need to access internal services, you **must explicitly add them** to `allowedDomains`.

### Pattern Formats

The `allowedDomains` array supports several formats:

1. **Domain only** - Allows all protocols and ports:
   ```yaml
   allowedDomains:
     - "api.example.com"
   ```

2. **With protocol** - Restricts to specific protocol:
   ```yaml
   allowedDomains:
     - "https://api.example.com"
   ```

3. **With protocol and port** - Restricts to specific protocol and port:
   ```yaml
   allowedDomains:
     - "https://api.example.com:8443"
   ```

4. **Internal addresses** (must be explicitly allowed):
   ```yaml
   allowedDomains:
     - "192.168.1.100"
     - "internal-api.local"
   ```

**Example:**
```yaml filename="actions / allowedDomains"
allowedDomains:
  - "swapi.dev"
  - "librechat.ai"
  - "google.com"
  - "https://secure-api.example.com:443"
  - "192.168.1.50"  # Internal service (explicitly allowed)
```